From 5b0fd910ad4e0b0b30b873ada3ed55c320c5fa08 Mon Sep 17 00:00:00 2001
From: nin9s <strrrn@gmail.com>
Date: Tue, 4 Jun 2019 23:17:07 +0200
Subject: [PATCH] added filebeat 7.1.1 support
added filebeat 7.1.1 support
---
etc/{filebeat => filebeat 1.3.1}/filebeat.yml | 0
etc/filebeat 7.x/filebeat.yml | 18 +
logstash-syslog-dns-index.template_7.1.json | 6217 +++++++++++++++++
3 files changed, 6235 insertions(+)
rename etc/{filebeat => filebeat 1.3.1}/filebeat.yml (100%)
create mode 100644 etc/filebeat 7.x/filebeat.yml
create mode 100644 logstash-syslog-dns-index.template_7.1.json
diff --git a/etc/filebeat/filebeat.yml b/etc/filebeat 1.3.1/filebeat.yml
similarity index 100%
rename from etc/filebeat/filebeat.yml
rename to etc/filebeat 1.3.1/filebeat.yml
diff --git a/etc/filebeat 7.x/filebeat.yml b/etc/filebeat 7.x/filebeat.yml
new file mode 100644
index 0000000..1966e7b
--- /dev/null
+++ b/etc/filebeat 7.x/filebeat.yml
@@ -0,0 +1,18 @@
+# created by n9nes #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
+#################################################################
+
+filebeat.modules:
+- module: logstash
+
+filebeat.inputs:
+- type: log
+ enabled: true
+ paths:
+ - /var/log/pihole.log
+
+name: elk-hole
+
+output.logstash:
+ enabled: true
+ hosts: ["127.0.0.1:5141"]
diff --git a/logstash-syslog-dns-index.template_7.1.json b/logstash-syslog-dns-index.template_7.1.json
new file mode 100644
index 0000000..cb982c3
--- /dev/null
+++ b/logstash-syslog-dns-index.template_7.1.json
@@ -0,0 +1,6217 @@
+{
+ "logstash-syslog-dns" : {
+ "order" : 1,
+ "index_patterns" : [
+ "logstash-syslog-dns*"
+ ],
+ "settings" : {
+ "index" : {
+ "lifecycle" : {
+ "name" : "filebeat-7.1.1",
+ "rollover_alias" : "filebeat-7.1.1"
+ },
+ "mapping" : {
+ "total_fields" : {
+ "limit" : "10000"
+ }
+ },
+ "refresh_interval" : "5s",
+ "number_of_routing_shards" : "30",
+ "query" : {
+ "default_field" : [
+ "message",
+ "tags",
+ "agent.ephemeral_id",
+ "agent.id",
+ "agent.name",
+ "agent.type",
+ "agent.version",
+ "client.address",
+ "client.domain",
+ "client.geo.city_name",
+ "client.geo.continent_name",
+ "client.geo.country_iso_code",
+ "client.geo.country_name",
+ "client.geo.name",
+ "client.geo.region_iso_code",
+ "client.geo.region_name",
+ "client.mac",
+ "client.user.email",
+ "client.user.full_name",
+ "client.user.group.id",
+ "client.user.group.name",
+ "client.user.hash",
+ "client.user.id",
+ "client.user.name",
+ "cloud.account.id",
+ "cloud.availability_zone",
+ "cloud.instance.id",
+ "cloud.instance.name",
+ "cloud.machine.type",
+ "cloud.provider",
+ "cloud.region",
+ "container.id",
+ "container.image.name",
+ "container.image.tag",
+ "container.name",
+ "container.runtime",
+ "destination.address",
+ "destination.domain",
+ "destination.geo.city_name",
+ "destination.geo.continent_name",
+ "destination.geo.country_iso_code",
+ "destination.geo.country_name",
+ "destination.geo.name",
+ "destination.geo.region_iso_code",
+ "destination.geo.region_name",
+ "destination.mac",
+ "destination.user.email",
+ "destination.user.full_name",
+ "destination.user.group.id",
+ "destination.user.group.name",
+ "destination.user.hash",
+ "destination.user.id",
+ "destination.user.name",
+ "ecs.version",
+ "error.code",
+ "error.id",
+ "error.message",
+ "event.action",
+ "event.category",
+ "event.dataset",
+ "event.hash",
+ "event.id",
+ "event.kind",
+ "event.module",
+ "event.original",
+ "event.outcome",
+ "event.timezone",
+ "event.type",
+ "file.device",
+ "file.extension",
+ "file.gid",
+ "file.group",
+ "file.inode",
+ "file.mode",
+ "file.owner",
+ "file.path",
+ "file.target_path",
+ "file.type",
+ "file.uid",
+ "geo.city_name",
+ "geo.continent_name",
+ "geo.country_iso_code",
+ "geo.country_name",
+ "geo.name",
+ "geo.region_iso_code",
+ "geo.region_name",
+ "group.id",
+ "group.name",
+ "host.architecture",
+ "host.geo.city_name",
+ "host.geo.continent_name",
+ "host.geo.country_iso_code",
+ "host.geo.country_name",
+ "host.geo.name",
+ "host.geo.region_iso_code",
+ "host.geo.region_name",
+ "host.hostname",
+ "host.id",
+ "host.mac",
+ "host.name",
+ "host.os.family",
+ "host.os.full",
+ "host.os.kernel",
+ "host.os.name",
+ "host.os.platform",
+ "host.os.version",
+ "host.type",
+ "host.user.email",
+ "host.user.full_name",
+ "host.user.group.id",
+ "host.user.group.name",
+ "host.user.hash",
+ "host.user.id",
+ "host.user.name",
+ "http.request.body.content",
+ "http.request.method",
+ "http.request.referrer",
+ "http.response.body.content",
+ "http.version",
+ "log.level",
+ "log.original",
+ "network.application",
+ "network.community_id",
+ "network.direction",
+ "network.iana_number",
+ "network.name",
+ "network.protocol",
+ "network.transport",
+ "network.type",
+ "observer.geo.city_name",
+ "observer.geo.continent_name",
+ "observer.geo.country_iso_code",
+ "observer.geo.country_name",
+ "observer.geo.name",
+ "observer.geo.region_iso_code",
+ "observer.geo.region_name",
+ "observer.hostname",
+ "observer.mac",
+ "observer.os.family",
+ "observer.os.full",
+ "observer.os.kernel",
+ "observer.os.name",
+ "observer.os.platform",
+ "observer.os.version",
+ "observer.serial_number",
+ "observer.type",
+ "observer.vendor",
+ "observer.version",
+ "organization.id",
+ "organization.name",
+ "os.family",
+ "os.full",
+ "os.kernel",
+ "os.name",
+ "os.platform",
+ "os.version",
+ "process.args",
+ "process.executable",
+ "process.name",
+ "process.title",
+ "process.working_directory",
+ "server.address",
+ "server.domain",
+ "server.geo.city_name",
+ "server.geo.continent_name",
+ "server.geo.country_iso_code",
+ "server.geo.country_name",
+ "server.geo.name",
+ "server.geo.region_iso_code",
+ "server.geo.region_name",
+ "server.mac",
+ "server.user.email",
+ "server.user.full_name",
+ "server.user.group.id",
+ "server.user.group.name",
+ "server.user.hash",
+ "server.user.id",
+ "server.user.name",
+ "service.ephemeral_id",
+ "service.id",
+ "service.name",
+ "service.state",
+ "service.type",
+ "service.version",
+ "source.address",
+ "source.domain",
+ "source.geo.city_name",
+ "source.geo.continent_name",
+ "source.geo.country_iso_code",
+ "source.geo.country_name",
+ "source.geo.name",
+ "source.geo.region_iso_code",
+ "source.geo.region_name",
+ "source.mac",
+ "source.user.email",
+ "source.user.full_name",
+ "source.user.group.id",
+ "source.user.group.name",
+ "source.user.hash",
+ "source.user.id",
+ "source.user.name",
+ "url.domain",
+ "url.fragment",
+ "url.full",
+ "url.original",
+ "url.password",
+ "url.path",
+ "url.query",
+ "url.scheme",
+ "url.username",
+ "user.email",
+ "user.full_name",
+ "user.group.id",
+ "user.group.name",
+ "user.hash",
+ "user.id",
+ "user.name",
+ "user_agent.device.name",
+ "user_agent.name",
+ "user_agent.original",
+ "user_agent.os.family",
+ "user_agent.os.full",
+ "user_agent.os.kernel",
+ "user_agent.os.name",
+ "user_agent.os.platform",
+ "user_agent.os.version",
+ "user_agent.version",
+ "agent.hostname",
+ "error.type",
+ "cloud.project.id",
+ "host.os.build",
+ "kubernetes.pod.name",
+ "kubernetes.pod.uid",
+ "kubernetes.namespace",
+ "kubernetes.node.name",
+ "kubernetes.container.name",
+ "kubernetes.container.image",
+ "log.file.path",
+ "log.source.address",
+ "stream",
+ "input.type",
+ "syslog.severity_label",
+ "syslog.facility_label",
+ "process.program",
+ "log.flags",
+ "user_agent.os.full_name",
+ "fileset.name",
+ "apache.access.ssl.protocol",
+ "apache.access.ssl.cipher",
+ "apache.error.module",
+ "user.terminal",
+ "user.audit.id",
+ "user.audit.name",
+ "user.audit.group.id",
+ "user.audit.group.name",
+ "user.effective.id",
+ "user.effective.name",
+ "user.effective.group.id",
+ "user.effective.group.name",
+ "user.filesystem.id",
+ "user.filesystem.name",
+ "user.filesystem.group.id",
+ "user.filesystem.group.name",
+ "user.owner.id",
+ "user.owner.name",
+ "user.owner.group.id",
+ "user.owner.group.name",
+ "user.saved.id",
+ "user.saved.name",
+ "user.saved.group.id",
+ "user.saved.group.name",
+ "auditd.log.old_auid",
+ "auditd.log.new_auid",
+ "auditd.log.old_ses",
+ "auditd.log.new_ses",
+ "auditd.log.items",
+ "auditd.log.item",
+ "auditd.log.tty",
+ "auditd.log.a0",
+ "elasticsearch.component",
+ "elasticsearch.cluster.uuid",
+ "elasticsearch.cluster.name",
+ "elasticsearch.node.id",
+ "elasticsearch.node.name",
+ "elasticsearch.index.name",
+ "elasticsearch.index.id",
+ "elasticsearch.shard.id",
+ "elasticsearch.audit.layer",
+ "elasticsearch.audit.event_type",
+ "elasticsearch.audit.origin.type",
+ "elasticsearch.audit.realm",
+ "elasticsearch.audit.user.realm",
+ "elasticsearch.audit.user.roles",
+ "elasticsearch.audit.action",
+ "elasticsearch.audit.url.params",
+ "elasticsearch.audit.indices",
+ "elasticsearch.audit.request.id",
+ "elasticsearch.audit.request.name",
+ "elasticsearch.gc.phase.name",
+ "elasticsearch.gc.tags",
+ "elasticsearch.slowlog.logger",
+ "elasticsearch.slowlog.took",
+ "elasticsearch.slowlog.types",
+ "elasticsearch.slowlog.stats",
+ "elasticsearch.slowlog.search_type",
+ "elasticsearch.slowlog.source_query",
+ "elasticsearch.slowlog.extra_source",
+ "elasticsearch.slowlog.total_hits",
+ "elasticsearch.slowlog.total_shards",
+ "elasticsearch.slowlog.routing",
+ "elasticsearch.slowlog.id",
+ "elasticsearch.slowlog.type",
+ "haproxy.frontend_name",
+ "haproxy.backend_name",
+ "haproxy.server_name",
+ "haproxy.bind_name",
+ "haproxy.error_message",
+ "haproxy.source",
+ "haproxy.termination_state",
+ "haproxy.mode",
+ "haproxy.http.response.captured_cookie",
+ "haproxy.http.response.captured_headers",
+ "haproxy.http.request.captured_cookie",
+ "haproxy.http.request.captured_headers",
+ "haproxy.http.request.raw_request_line",
+ "icinga.debug.facility",
+ "icinga.main.facility",
+ "icinga.startup.facility",
+ "iis.access.site_name",
+ "iis.access.server_name",
+ "iis.access.cookie",
+ "iis.error.reason_phrase",
+ "iis.error.queue_name",
+ "iptables.fragment_flags",
+ "iptables.input_device",
+ "iptables.output_device",
+ "iptables.tcp.flags",
+ "iptables.ubiquiti.input_zone",
+ "iptables.ubiquiti.output_zone",
+ "iptables.ubiquiti.rule_number",
+ "iptables.ubiquiti.rule_set",
+ "kafka.log.component",
+ "kafka.log.class",
+ "kafka.log.trace.class",
+ "kafka.log.trace.message",
+ "kibana.log.tags",
+ "kibana.log.state",
+ "logstash.log.module",
+ "text",
+ "logstash.log.thread",
+ "logstash.slowlog.module",
+ "text",
+ "logstash.slowlog.thread",
+ "text",
+ "logstash.slowlog.event",
+ "logstash.slowlog.plugin_name",
+ "logstash.slowlog.plugin_type",
+ "text",
+ "logstash.slowlog.plugin_params",
+ "mongodb.log.component",
+ "mongodb.log.context",
+ "mysql.slowlog.query",
+ "mysql.slowlog.schema",
+ "mysql.slowlog.current_user",
+ "mysql.slowlog.last_errno",
+ "mysql.slowlog.killed",
+ "mysql.slowlog.log_slow_rate_type",
+ "mysql.slowlog.log_slow_rate_limit",
+ "mysql.slowlog.innodb.trx_id",
+ "netflow.type",
+ "netflow.exporter.address",
+ "netflow.source_mac_address",
+ "netflow.post_destination_mac_address",
+ "netflow.destination_mac_address",
+ "netflow.post_source_mac_address",
+ "netflow.interface_name",
+ "netflow.interface_description",
+ "netflow.sampler_name",
+ "netflow.application_description",
+ "netflow.application_name",
+ "netflow.class_name",
+ "netflow.wlan_ssid",
+ "netflow.vr_fname",
+ "netflow.metro_evc_id",
+ "netflow.nat_pool_name",
+ "netflow.p2p_technology",
+ "netflow.tunnel_technology",
+ "netflow.encrypted_technology",
+ "netflow.observation_domain_name",
+ "netflow.selector_name",
+ "netflow.information_element_description",
+ "netflow.information_element_name",
+ "netflow.virtual_station_interface_name",
+ "netflow.virtual_station_name",
+ "netflow.sta_mac_address",
+ "netflow.wtp_mac_address",
+ "netflow.user_name",
+ "netflow.application_category_name",
+ "netflow.application_sub_category_name",
+ "netflow.application_group_name",
+ "netflow.dot1q_customer_source_mac_address",
+ "netflow.dot1q_customer_destination_mac_address",
+ "netflow.mib_context_name",
+ "netflow.mib_object_name",
+ "netflow.mib_object_description",
+ "netflow.mib_object_syntax",
+ "netflow.mib_module_name",
+ "netflow.mobile_imsi",
+ "netflow.mobile_msisdn",
+ "netflow.http_request_method",
+ "netflow.http_request_host",
+ "netflow.http_request_target",
+ "netflow.http_message_version",
+ "netflow.http_user_agent",
+ "netflow.http_content_type",
+ "netflow.http_reason_phrase",
+ "osquery.result.name",
+ "osquery.result.action",
+ "osquery.result.host_identifier",
+ "osquery.result.calendar_time",
+ "postgresql.log.timestamp",
+ "postgresql.log.database",
+ "postgresql.log.query",
+ "redis.log.role",
+ "redis.slowlog.cmd",
+ "redis.slowlog.key",
+ "redis.slowlog.args",
+ "santa.action",
+ "santa.decision",
+ "santa.reason",
+ "santa.mode",
+ "santa.disk.volume",
+ "santa.disk.bus",
+ "santa.disk.serial",
+ "santa.disk.bsdname",
+ "santa.disk.model",
+ "santa.disk.fs",
+ "santa.disk.mount",
+ "certificate.common_name",
+ "certificate.sha256",
+ "hash.sha256",
+ "suricata.eve.event_type",
+ "suricata.eve.app_proto_orig",
+ "suricata.eve.tcp.tcp_flags",
+ "suricata.eve.tcp.tcp_flags_tc",
+ "suricata.eve.tcp.state",
+ "suricata.eve.tcp.tcp_flags_ts",
+ "suricata.eve.fileinfo.sha1",
+ "suricata.eve.fileinfo.state",
+ "suricata.eve.fileinfo.sha256",
+ "suricata.eve.fileinfo.md5",
+ "suricata.eve.dns.type",
+ "suricata.eve.dns.rrtype",
+ "suricata.eve.dns.rrname",
+ "suricata.eve.dns.rdata",
+ "suricata.eve.dns.rcode",
+ "suricata.eve.flow_id",
+ "suricata.eve.email.status",
+ "suricata.eve.http.redirect",
+ "suricata.eve.http.protocol",
+ "suricata.eve.http.http_content_type",
+ "suricata.eve.in_iface",
+ "suricata.eve.alert.category",
+ "suricata.eve.alert.signature",
+ "suricata.eve.ssh.client.proto_version",
+ "suricata.eve.ssh.client.software_version",
+ "suricata.eve.ssh.server.proto_version",
+ "suricata.eve.ssh.server.software_version",
+ "suricata.eve.tls.issuerdn",
+ "suricata.eve.tls.sni",
+ "suricata.eve.tls.version",
+ "suricata.eve.tls.fingerprint",
+ "suricata.eve.tls.serial",
+ "suricata.eve.tls.subject",
+ "suricata.eve.app_proto_ts",
+ "suricata.eve.flow.state",
+ "suricata.eve.flow.reason",
+ "suricata.eve.app_proto_tc",
+ "suricata.eve.smtp.rcpt_to",
+ "suricata.eve.smtp.mail_from",
+ "suricata.eve.smtp.helo",
+ "suricata.eve.app_proto_expected",
+ "system.auth.ssh.method",
+ "system.auth.ssh.signature",
+ "system.auth.ssh.event",
+ "system.auth.sudo.error",
+ "system.auth.sudo.tty",
+ "system.auth.sudo.pwd",
+ "system.auth.sudo.user",
+ "system.auth.sudo.command",
+ "system.auth.useradd.home",
+ "system.auth.useradd.shell",
+ "traefik.access.user_identifier",
+ "traefik.access.frontend_name",
+ "traefik.access.backend_url",
+ "zeek.session_id",
+ "zeek.connection.state",
+ "zeek.connection.history",
+ "zeek.connection.orig_l2_addr",
+ "zeek.connection.resp_l2_addr",
+ "zeek.dns.trans_id",
+ "zeek.dns.query",
+ "zeek.dns.qclass_name",
+ "zeek.dns.qtype_name",
+ "zeek.dns.rcode_name",
+ "zeek.dns.answers",
+ "zeek.http.status_msg",
+ "zeek.http.info_msg",
+ "zeek.http.tags",
+ "zeek.http.password",
+ "zeek.http.proxied",
+ "zeek.http.client_header_names",
+ "zeek.http.server_header_names",
+ "zeek.http.orig_fuids",
+ "zeek.http.orig_mime_types",
+ "zeek.http.orig_filenames",
+ "zeek.http.resp_fuids",
+ "zeek.http.resp_mime_types",
+ "zeek.http.resp_filenames",
+ "zeek.files.fuid",
+ "zeek.files.session_ids",
+ "zeek.files.source",
+ "zeek.files.analyzers",
+ "zeek.files.mime_type",
+ "zeek.files.filename",
+ "zeek.files.parent_fuid",
+ "zeek.files.md5",
+ "zeek.files.sha1",
+ "zeek.files.sha256",
+ "zeek.files.extracted",
+ "zeek.ssl.version",
+ "zeek.ssl.cipher",
+ "zeek.ssl.curve",
+ "zeek.ssl.server_name",
+ "zeek.ssl.next_protocol",
+ "zeek.ssl.cert_chain",
+ "zeek.ssl.cert_chain_fuids",
+ "zeek.ssl.client_cert_chain",
+ "zeek.ssl.client_cert_chain_fuids",
+ "zeek.ssl.issuer",
+ "zeek.ssl.client_issuer",
+ "zeek.ssl.validation_status",
+ "zeek.ssl.validation_code",
+ "zeek.ssl.subject",
+ "zeek.ssl.client_subject",
+ "zeek.ssl.last_alert",
+ "zeek.notice.connection_id",
+ "zeek.notice.icmp_id",
+ "zeek.notice.file.id",
+ "zeek.notice.file.parent_id",
+ "zeek.notice.file.source",
+ "zeek.notice.file.mime_type",
+ "zeek.notice.fuid",
+ "zeek.notice.note",
+ "zeek.notice.msg",
+ "zeek.notice.sub",
+ "zeek.notice.peer_name",
+ "zeek.notice.peer_descr",
+ "zeek.notice.actions",
+ "zeek.notice.email_body_sections",
+ "zeek.notice.email_delay_tokens",
+ "zeek.notice.identifier",
+ "fields.*"
+ ]
+ }
+ }
+ },
+ "mappings" : {
+ "_meta" : {
+ "beat" : "filebeat",
+ "version" : "7.1.1"
+ },
+ "dynamic_templates" : [
+ {
+ "labels" : {
+ "path_match" : "labels.*",
+ "mapping" : {
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ },
+ {
+ "container.labels" : {
+ "path_match" : "container.labels.*",
+ "mapping" : {
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ },
+ {
+ "fields" : {
+ "path_match" : "fields.*",
+ "mapping" : {
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ },
+ {
+ "docker.container.labels" : {
+ "path_match" : "docker.container.labels.*",
+ "mapping" : {
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ },
+ {
+ "kibana.log.meta" : {
+ "path_match" : "kibana.log.meta.*",
+ "mapping" : {
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ },
+ {
+ "strings_as_keyword" : {
+ "mapping" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "match_mapping_type" : "string"
+ }
+ }
+ ],
+ "date_detection" : false,
+ "properties" : {
+ "container" : {
+ "properties" : {
+ "image" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tag" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "runtime" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "labels" : {
+ "type" : "object"
+ }
+ }
+ },
+ "kubernetes" : {
+ "properties" : {
+ "container" : {
+ "properties" : {
+ "image" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "node" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "pod" : {
+ "properties" : {
+ "uid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "namespace" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "annotations" : {
+ "type" : "object"
+ },
+ "labels" : {
+ "type" : "object"
+ }
+ }
+ },
+ "agent" : {
+ "properties" : {
+ "hostname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ephemeral_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "icinga" : {
+ "properties" : {
+ "debug" : {
+ "properties" : {
+ "facility" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "startup" : {
+ "properties" : {
+ "facility" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "main" : {
+ "properties" : {
+ "facility" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "source" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "domain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "user" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "packets" : {
+ "type" : "long"
+ }
+ }
+ },
+ "redis" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "role" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "slowlog" : {
+ "properties" : {
+ "args" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "duration" : {
+ "properties" : {
+ "us" : {
+ "type" : "long"
+ }
+ }
+ },
+ "cmd" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "type" : "long"
+ },
+ "key" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "cloud" : {
+ "properties" : {
+ "availability_zone" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "instance" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "provider" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "machine" : {
+ "properties" : {
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "project" : {
+ "properties" : {
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "region" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "account" : {
+ "properties" : {
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "logstash" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "module" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "log_event" : {
+ "type" : "object"
+ },
+ "thread" : {
+ "ignore_above" : 1024,
+ "fields" : {
+ "text" : {
+ "norms" : false,
+ "type" : "text"
+ }
+ },
+ "type" : "keyword"
+ }
+ }
+ },
+ "slowlog" : {
+ "properties" : {
+ "took_in_millis" : {
+ "type" : "long"
+ },
+ "plugin_params" : {
+ "ignore_above" : 1024,
+ "fields" : {
+ "text" : {
+ "norms" : false,
+ "type" : "text"
+ }
+ },
+ "type" : "keyword"
+ },
+ "module" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "plugin_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "plugin_params_object" : {
+ "type" : "object"
+ },
+ "thread" : {
+ "ignore_above" : 1024,
+ "fields" : {
+ "text" : {
+ "norms" : false,
+ "type" : "text"
+ }
+ },
+ "type" : "keyword"
+ },
+ "event" : {
+ "ignore_above" : 1024,
+ "fields" : {
+ "text" : {
+ "norms" : false,
+ "type" : "text"
+ }
+ },
+ "type" : "keyword"
+ },
+ "plugin_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "observer" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "hostname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "os" : {
+ "properties" : {
+ "kernel" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "family" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "platform" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "full" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "vendor" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "serial_number" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "netflow" : {
+ "properties" : {
+ "information_element_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "next_header_ipv6" : {
+ "type" : "short"
+ },
+ "class_id" : {
+ "type" : "short"
+ },
+ "distinct_count_of_sourc_eipa_ddress" : {
+ "type" : "long"
+ },
+ "min_flow_start_milliseconds" : {
+ "type" : "date"
+ },
+ "application_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "nat_event" : {
+ "type" : "short"
+ },
+ "icmp_code_ipv6" : {
+ "type" : "short"
+ },
+ "icmp_code_ipv4" : {
+ "type" : "short"
+ },
+ "sampling_flow_spacing" : {
+ "type" : "long"
+ },
+ "tcp_ack_total_count" : {
+ "type" : "long"
+ },
+ "post_ip_diff_serv_code_point" : {
+ "type" : "short"
+ },
+ "not_sent_packet_total_count" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section10" : {
+ "type" : "short"
+ },
+ "dropped_packet_total_count" : {
+ "type" : "long"
+ },
+ "flow_start_sys_up_time" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section5" : {
+ "type" : "short"
+ },
+ "post_octet_delta_count" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section4" : {
+ "type" : "short"
+ },
+ "pseudo_wire_control_word" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section3" : {
+ "type" : "short"
+ },
+ "octet_delta_count" : {
+ "type" : "long"
+ },
+ "dropped_octet_total_count" : {
+ "type" : "long"
+ },
+ "initiator_octets" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section2" : {
+ "type" : "short"
+ },
+ "sampler_id" : {
+ "type" : "short"
+ },
+ "mpls_label_stack_section9" : {
+ "type" : "short"
+ },
+ "mpls_label_stack_section8" : {
+ "type" : "short"
+ },
+ "mpls_label_stack_section7" : {
+ "type" : "short"
+ },
+ "metering_process_id" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_section6" : {
+ "type" : "short"
+ },
+ "address_pool_low_threshold" : {
+ "type" : "long"
+ },
+ "source_ipv6_prefix" : {
+ "type" : "ip"
+ },
+ "connection_sum_duration_seconds" : {
+ "type" : "long"
+ },
+ "sta_ipv4_address" : {
+ "type" : "ip"
+ },
+ "mib_module_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "http_reason_phrase" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mobile_msisdn" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "confidence_level" : {
+ "type" : "double"
+ },
+ "mib_object_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ignored_packet_total_count" : {
+ "type" : "long"
+ },
+ "min_flow_start_nanoseconds" : {
+ "type" : "date"
+ },
+ "tcp_options" : {
+ "type" : "long"
+ },
+ "http_user_agent" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "virtual_station_interface_id" : {
+ "type" : "short"
+ },
+ "post_ip_precedence" : {
+ "type" : "short"
+ },
+ "sampling_size" : {
+ "type" : "long"
+ },
+ "flow_sampling_time_spacing" : {
+ "type" : "long"
+ },
+ "ip_version" : {
+ "type" : "short"
+ },
+ "tcp_window_scale" : {
+ "type" : "long"
+ },
+ "data_records_reliability" : {
+ "type" : "boolean"
+ },
+ "ip_total_length" : {
+ "type" : "long"
+ },
+ "post_mcast_octet_delta_count" : {
+ "type" : "long"
+ },
+ "src_traffic_index" : {
+ "type" : "long"
+ },
+ "ingress_physical_interface" : {
+ "type" : "long"
+ },
+ "layer2_octet_total_sum_of_squares" : {
+ "type" : "long"
+ },
+ "address_port_mapping_per_user_high_threshold" : {
+ "type" : "long"
+ },
+ "sampling_time_interval" : {
+ "type" : "long"
+ },
+ "ip_next_hop_ipv6_address" : {
+ "type" : "ip"
+ },
+ "http_request_host" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "sampling_interval" : {
+ "type" : "long"
+ },
+ "session_scope" : {
+ "type" : "short"
+ },
+ "vr_fname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_label_stack_depth" : {
+ "type" : "long"
+ },
+ "sampling_flow_interval" : {
+ "type" : "long"
+ },
+ "initiator_packets" : {
+ "type" : "long"
+ },
+ "destination_transport_port" : {
+ "type" : "long"
+ },
+ "vpn_identifier" : {
+ "type" : "short"
+ },
+ "tcp_fin_total_count" : {
+ "type" : "long"
+ },
+ "mib_object_valuei_pa_ddress" : {
+ "type" : "ip"
+ },
+ "source_transport_ports_limit" : {
+ "type" : "long"
+ },
+ "destination_ipv4_prefix" : {
+ "type" : "ip"
+ },
+ "original_flows_completed" : {
+ "type" : "long"
+ },
+ "nat_pool_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "total_length_ipv4" : {
+ "type" : "long"
+ },
+ "data_link_frame_type" : {
+ "type" : "long"
+ },
+ "post_ip_class_of_service" : {
+ "type" : "short"
+ },
+ "nat_instance_id" : {
+ "type" : "long"
+ },
+ "sampling_time_space" : {
+ "type" : "long"
+ },
+ "application_category_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ignored_layer2_frame_total_count" : {
+ "type" : "long"
+ },
+ "mib_capture_time_semantics" : {
+ "type" : "short"
+ },
+ "port_range_step_size" : {
+ "type" : "long"
+ },
+ "sampling_packet_interval" : {
+ "type" : "long"
+ },
+ "post_mcast_packet_delta_count" : {
+ "type" : "long"
+ },
+ "selector_id" : {
+ "type" : "long"
+ },
+ "dropped_layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "ipv6_extension_headers" : {
+ "type" : "long"
+ },
+ "not_sent_flow_total_count" : {
+ "type" : "long"
+ },
+ "dot1q_customer_vlan_id" : {
+ "type" : "long"
+ },
+ "tcp_urg_total_count" : {
+ "type" : "long"
+ },
+ "mpls_top_label_type" : {
+ "type" : "short"
+ },
+ "rtp_sequence_number" : {
+ "type" : "long"
+ },
+ "dst_traffic_index" : {
+ "type" : "long"
+ },
+ "section_exported_octets" : {
+ "type" : "long"
+ },
+ "flow_duration_microseconds" : {
+ "type" : "long"
+ },
+ "post_octet_total_count" : {
+ "type" : "long"
+ },
+ "tcp_header_length" : {
+ "type" : "short"
+ },
+ "mib_object_value_unsigned" : {
+ "type" : "long"
+ },
+ "protocol_identifier" : {
+ "type" : "short"
+ },
+ "metro_evc_type" : {
+ "type" : "short"
+ },
+ "mpls_label_stack_section" : {
+ "type" : "short"
+ },
+ "udp_destination_port" : {
+ "type" : "long"
+ },
+ "wlan_ssid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "collector_ipv4_address" : {
+ "type" : "ip"
+ },
+ "max_fragments_pending_reassembly" : {
+ "type" : "long"
+ },
+ "internal_address_realm" : {
+ "type" : "short"
+ },
+ "flow_start_delta_microseconds" : {
+ "type" : "long"
+ },
+ "information_element_range_begin" : {
+ "type" : "long"
+ },
+ "payload_length_ipv6" : {
+ "type" : "long"
+ },
+ "information_element_units" : {
+ "type" : "long"
+ },
+ "ingress_interface" : {
+ "type" : "long"
+ },
+ "mpls_top_label_ipv4_address" : {
+ "type" : "ip"
+ },
+ "observation_domain_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "max_session_entries" : {
+ "type" : "long"
+ },
+ "tcp_window_size" : {
+ "type" : "long"
+ },
+ "biflow_direction" : {
+ "type" : "short"
+ },
+ "information_element_id" : {
+ "type" : "long"
+ },
+ "bgp_source_as_number" : {
+ "type" : "long"
+ },
+ "exporter_certificate" : {
+ "type" : "short"
+ },
+ "sampler_mode" : {
+ "type" : "short"
+ },
+ "flow_selected_octet_delta_count" : {
+ "type" : "long"
+ },
+ "sta_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "dropped_packet_delta_count" : {
+ "type" : "long"
+ },
+ "mpls_top_label_stack_section" : {
+ "type" : "short"
+ },
+ "nat_pool_id" : {
+ "type" : "long"
+ },
+ "ethernet_type" : {
+ "type" : "long"
+ },
+ "source_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "multicast_replication_factor" : {
+ "type" : "long"
+ },
+ "anonymization_technique" : {
+ "type" : "long"
+ },
+ "application_id" : {
+ "type" : "short"
+ },
+ "destination_ipv6_prefix_length" : {
+ "type" : "short"
+ },
+ "transport_packet_delta_count" : {
+ "type" : "long"
+ },
+ "original_exporter_ipv6_address" : {
+ "type" : "ip"
+ },
+ "destination_ipv4_address" : {
+ "type" : "ip"
+ },
+ "observation_domain_id" : {
+ "type" : "long"
+ },
+ "digest_hash_value" : {
+ "type" : "long"
+ },
+ "mpls_label_stack_length" : {
+ "type" : "long"
+ },
+ "port_id" : {
+ "type" : "long"
+ },
+ "post_layer2_octet_delta_count" : {
+ "type" : "long"
+ },
+ "exporter_ipv4_address" : {
+ "type" : "ip"
+ },
+ "dot1q_vlan_id" : {
+ "type" : "long"
+ },
+ "hash_flow_domain" : {
+ "type" : "long"
+ },
+ "external_address_realm" : {
+ "type" : "short"
+ },
+ "data_link_frame_section" : {
+ "type" : "short"
+ },
+ "egress_vrfid" : {
+ "type" : "long"
+ },
+ "hash_ipp_ayload_size" : {
+ "type" : "long"
+ },
+ "ip_diff_serv_code_point" : {
+ "type" : "short"
+ },
+ "exported_flow_record_total_count" : {
+ "type" : "long"
+ },
+ "application_description" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "original_flows_present" : {
+ "type" : "long"
+ },
+ "opaque_octets" : {
+ "type" : "short"
+ },
+ "selector_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "information_element_semantics" : {
+ "type" : "short"
+ },
+ "export_interface" : {
+ "type" : "long"
+ },
+ "post_source_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tcp_rst_total_count" : {
+ "type" : "long"
+ },
+ "distinct_count_of_destination_ipv6_address" : {
+ "type" : "long"
+ },
+ "octet_total_sum_of_squares" : {
+ "type" : "long"
+ },
+ "classification_engine_id" : {
+ "type" : "short"
+ },
+ "selector_id_total_pkts_observed" : {
+ "type" : "long"
+ },
+ "information_element_description" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "intermediate_process_id" : {
+ "type" : "long"
+ },
+ "flow_end_delta_microseconds" : {
+ "type" : "long"
+ },
+ "post_mcast_octet_total_count" : {
+ "type" : "long"
+ },
+ "flow_selector_algorithm" : {
+ "type" : "long"
+ },
+ "delta_flow_count" : {
+ "type" : "long"
+ },
+ "ingress_vrfid" : {
+ "type" : "long"
+ },
+ "original_flows_initiated" : {
+ "type" : "long"
+ },
+ "virtual_station_uuid" : {
+ "type" : "short"
+ },
+ "gre_key" : {
+ "type" : "long"
+ },
+ "fragment_offset" : {
+ "type" : "long"
+ },
+ "tcp_source_port" : {
+ "type" : "long"
+ },
+ "flow_end_seconds" : {
+ "type" : "date"
+ },
+ "ipv4_ihl" : {
+ "type" : "short"
+ },
+ "dot1q_priority" : {
+ "type" : "short"
+ },
+ "max_entries_per_user" : {
+ "type" : "long"
+ },
+ "source_ipv6_prefix_length" : {
+ "type" : "short"
+ },
+ "post_destination_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "value_distribution_method" : {
+ "type" : "short"
+ },
+ "mib_object_value_oid" : {
+ "type" : "short"
+ },
+ "observed_flow_total_count" : {
+ "type" : "long"
+ },
+ "post_nadt_estination_ipv4_address" : {
+ "type" : "ip"
+ },
+ "mib_object_identifier" : {
+ "type" : "short"
+ },
+ "mib_object_value_gauge" : {
+ "type" : "long"
+ },
+ "not_sent_layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "udp_source_port" : {
+ "type" : "long"
+ },
+ "hash_selected_range_max" : {
+ "type" : "long"
+ },
+ "post_vlan_id" : {
+ "type" : "long"
+ },
+ "ipv4_router_sc" : {
+ "type" : "ip"
+ },
+ "packet_delta_count" : {
+ "type" : "long"
+ },
+ "layer2_frame_total_count" : {
+ "type" : "long"
+ },
+ "egress_interface_type" : {
+ "type" : "long"
+ },
+ "bgp_next_hop_ipv4_address" : {
+ "type" : "ip"
+ },
+ "sampler_random_interval" : {
+ "type" : "long"
+ },
+ "dot1q_customer_dei" : {
+ "type" : "boolean"
+ },
+ "layer2packet_section_offset" : {
+ "type" : "long"
+ },
+ "post_packet_delta_count" : {
+ "type" : "long"
+ },
+ "hash_ipp_ayload_offset" : {
+ "type" : "long"
+ },
+ "destination_ipv4_prefix_length" : {
+ "type" : "short"
+ },
+ "sampling_probability" : {
+ "type" : "double"
+ },
+ "source_ipv4_prefix_length" : {
+ "type" : "short"
+ },
+ "dot1q_service_instance_id" : {
+ "type" : "long"
+ },
+ "egress_interface" : {
+ "type" : "long"
+ },
+ "observation_point_id" : {
+ "type" : "long"
+ },
+ "tcp_urgent_pointer" : {
+ "type" : "long"
+ },
+ "source_ipv6_address" : {
+ "type" : "ip"
+ },
+ "bgp_prev_adjacent_as_number" : {
+ "type" : "long"
+ },
+ "export_sctp_stream_id" : {
+ "type" : "long"
+ },
+ "max_flow_end_microseconds" : {
+ "type" : "date"
+ },
+ "selection_sequence_id" : {
+ "type" : "long"
+ },
+ "tcp_acknowledgement_number" : {
+ "type" : "long"
+ },
+ "encrypted_technology" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_top_label_prefix_length" : {
+ "type" : "short"
+ },
+ "max_flow_end_seconds" : {
+ "type" : "date"
+ },
+ "sampler_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "octet_delta_sum_of_squares" : {
+ "type" : "long"
+ },
+ "post_napst_ource_transport_port" : {
+ "type" : "long"
+ },
+ "observation_time_seconds" : {
+ "type" : "date"
+ },
+ "post_nast_ource_ipv4_address" : {
+ "type" : "ip"
+ },
+ "sampling_population" : {
+ "type" : "long"
+ },
+ "tcp_sequence_number" : {
+ "type" : "long"
+ },
+ "min_flow_start_seconds" : {
+ "type" : "date"
+ },
+ "monitoring_interval_end_milli_seconds" : {
+ "type" : "date"
+ },
+ "flow_start_milliseconds" : {
+ "type" : "date"
+ },
+ "minimum_ttl" : {
+ "type" : "short"
+ },
+ "pseudo_wire_destination_ipv4_address" : {
+ "type" : "ip"
+ },
+ "source_ipv4_prefix" : {
+ "type" : "ip"
+ },
+ "wlan_channel_id" : {
+ "type" : "short"
+ },
+ "distinct_count_of_source_ipv6_address" : {
+ "type" : "long"
+ },
+ "post_dot1q_customer_vlan_id" : {
+ "type" : "long"
+ },
+ "global_address_mapping_high_threshold" : {
+ "type" : "long"
+ },
+ "new_connection_delta_count" : {
+ "type" : "long"
+ },
+ "flow_sampling_time_interval" : {
+ "type" : "long"
+ },
+ "mib_object_value_time_ticks" : {
+ "type" : "long"
+ },
+ "nat_threshold_event" : {
+ "type" : "long"
+ },
+ "ingress_interface_type" : {
+ "type" : "long"
+ },
+ "icmp_type_code_ipv4" : {
+ "type" : "long"
+ },
+ "post_layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "mib_object_value_integer" : {
+ "type" : "long"
+ },
+ "icmp_type_code_ipv6" : {
+ "type" : "long"
+ },
+ "bgp_destination_as_number" : {
+ "type" : "long"
+ },
+ "http_request_target" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bgp_next_hop_ipv6_address" : {
+ "type" : "ip"
+ },
+ "forwarding_status" : {
+ "type" : "short"
+ },
+ "information_element_index" : {
+ "type" : "long"
+ },
+ "mib_context_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_top_label_ipv6_address" : {
+ "type" : "ip"
+ },
+ "fragment_identification" : {
+ "type" : "long"
+ },
+ "user_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port_range_num_ports" : {
+ "type" : "long"
+ },
+ "hash_selected_range_min" : {
+ "type" : "long"
+ },
+ "exporter" : {
+ "properties" : {
+ "uptime_millis" : {
+ "type" : "long"
+ },
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "source_id" : {
+ "type" : "long"
+ },
+ "version" : {
+ "type" : "long"
+ },
+ "timestamp" : {
+ "type" : "date"
+ }
+ }
+ },
+ "hash_output_range_min" : {
+ "type" : "long"
+ },
+ "http_content_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "selector_algorithm" : {
+ "type" : "long"
+ },
+ "address_port_mapping_high_threshold" : {
+ "type" : "long"
+ },
+ "flow_start_seconds" : {
+ "type" : "date"
+ },
+ "mobile_imsi" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "nat_originating_address_realm" : {
+ "type" : "short"
+ },
+ "tcp_destination_port" : {
+ "type" : "long"
+ },
+ "application_sub_category_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "class_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "not_sent_octet_total_count" : {
+ "type" : "long"
+ },
+ "responder_octets" : {
+ "type" : "long"
+ },
+ "layer2_octet_delta_count" : {
+ "type" : "long"
+ },
+ "information_element_data_type" : {
+ "type" : "short"
+ },
+ "flow_start_nanoseconds" : {
+ "type" : "date"
+ },
+ "hash_initialiser_value" : {
+ "type" : "long"
+ },
+ "bgp_validity_state" : {
+ "type" : "short"
+ },
+ "engine_type" : {
+ "type" : "short"
+ },
+ "flow_direction" : {
+ "type" : "short"
+ },
+ "dot1q_customer_source_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "wtp_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_payload_length" : {
+ "type" : "long"
+ },
+ "template_id" : {
+ "type" : "long"
+ },
+ "dot1q_customer_destination_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "pseudo_wire_type" : {
+ "type" : "long"
+ },
+ "interface_description" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "pseudo_wire_id" : {
+ "type" : "long"
+ },
+ "vlan_id" : {
+ "type" : "long"
+ },
+ "hash_digest_output" : {
+ "type" : "boolean"
+ },
+ "responder_packets" : {
+ "type" : "long"
+ },
+ "ethernet_payload_length" : {
+ "type" : "long"
+ },
+ "collector_certificate" : {
+ "type" : "short"
+ },
+ "tcp_control_bits" : {
+ "type" : "long"
+ },
+ "mpls_payload_packet_section" : {
+ "type" : "short"
+ },
+ "anonymization_flags" : {
+ "type" : "long"
+ },
+ "ingress_unicast_packet_total_count" : {
+ "type" : "long"
+ },
+ "lower_cli_imit" : {
+ "type" : "double"
+ },
+ "address_pool_high_threshold" : {
+ "type" : "long"
+ },
+ "information_element_range_end" : {
+ "type" : "long"
+ },
+ "observation_point_type" : {
+ "type" : "short"
+ },
+ "ip_payload_packet_section" : {
+ "type" : "short"
+ },
+ "http_status_code" : {
+ "type" : "long"
+ },
+ "bgp_next_adjacent_as_number" : {
+ "type" : "long"
+ },
+ "dropped_layer2_octet_delta_count" : {
+ "type" : "long"
+ },
+ "common_properties_id" : {
+ "type" : "long"
+ },
+ "destination_ipv6_prefix" : {
+ "type" : "ip"
+ },
+ "maximum_ip_total_length" : {
+ "type" : "long"
+ },
+ "exporter_ipv6_address" : {
+ "type" : "ip"
+ },
+ "ip_class_of_service" : {
+ "type" : "short"
+ },
+ "rfc3550_jitter_nanoseconds" : {
+ "type" : "long"
+ },
+ "http_request_method" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "is_multicast" : {
+ "type" : "short"
+ },
+ "original_observation_domain_id" : {
+ "type" : "long"
+ },
+ "mib_object_value_counter" : {
+ "type" : "long"
+ },
+ "mib_object_value_bits" : {
+ "type" : "short"
+ },
+ "ip_header_packet_section" : {
+ "type" : "short"
+ },
+ "post_mcast_layer2_octet_delta_count" : {
+ "type" : "long"
+ },
+ "tunnel_technology" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ingress_multicast_packet_total_count" : {
+ "type" : "long"
+ },
+ "flow_idle_timeout" : {
+ "type" : "long"
+ },
+ "exported_message_total_count" : {
+ "type" : "long"
+ },
+ "max_export_seconds" : {
+ "type" : "date"
+ },
+ "minimum_ip_total_length" : {
+ "type" : "long"
+ },
+ "selector_itd_otal_flows_selected" : {
+ "type" : "long"
+ },
+ "flow_end_nanoseconds" : {
+ "type" : "date"
+ },
+ "layer2_segment_id" : {
+ "type" : "long"
+ },
+ "ip_next_hop_ipv4_address" : {
+ "type" : "ip"
+ },
+ "post_mcast_layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "egress_physical_interface" : {
+ "type" : "long"
+ },
+ "tcp_psh_total_count" : {
+ "type" : "long"
+ },
+ "mib_index_indicator" : {
+ "type" : "long"
+ },
+ "nat_type" : {
+ "type" : "short"
+ },
+ "udp_message_length" : {
+ "type" : "long"
+ },
+ "selector_itd_otal_flows_observed" : {
+ "type" : "long"
+ },
+ "monitoring_interval_start_milli_seconds" : {
+ "type" : "date"
+ },
+ "layer2packet_section_size" : {
+ "type" : "long"
+ },
+ "port_range_start" : {
+ "type" : "long"
+ },
+ "exported_octet_total_count" : {
+ "type" : "long"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "source_ipv4_address" : {
+ "type" : "ip"
+ },
+ "collector_transport_port" : {
+ "type" : "long"
+ },
+ "post_dot1q_vlan_id" : {
+ "type" : "long"
+ },
+ "observation_time_nanoseconds" : {
+ "type" : "date"
+ },
+ "firewall_event" : {
+ "type" : "short"
+ },
+ "dropped_octet_delta_count" : {
+ "type" : "long"
+ },
+ "octet_total_count" : {
+ "type" : "long"
+ },
+ "post_nadt_estination_ipv6_address" : {
+ "type" : "ip"
+ },
+ "http_message_version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "flow_selected_packet_delta_count" : {
+ "type" : "long"
+ },
+ "flow_active_timeout" : {
+ "type" : "long"
+ },
+ "maximum_ttl" : {
+ "type" : "short"
+ },
+ "post_mcast_packet_total_count" : {
+ "type" : "long"
+ },
+ "dot1q_customer_priority" : {
+ "type" : "short"
+ },
+ "igmp_type" : {
+ "type" : "short"
+ },
+ "metro_evc_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "destination_mac_address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "flow_end_sys_up_time" : {
+ "type" : "long"
+ },
+ "relative_error" : {
+ "type" : "double"
+ },
+ "source_transport_port" : {
+ "type" : "long"
+ },
+ "export_protocol_version" : {
+ "type" : "short"
+ },
+ "mib_object_value_octet_string" : {
+ "type" : "short"
+ },
+ "exporting_process_id" : {
+ "type" : "long"
+ },
+ "hash_output_range_max" : {
+ "type" : "long"
+ },
+ "max_subscribers" : {
+ "type" : "long"
+ },
+ "dot1q_service_instance_priority" : {
+ "type" : "short"
+ },
+ "ip_header_length" : {
+ "type" : "short"
+ },
+ "sampling_algorithm" : {
+ "type" : "short"
+ },
+ "ingress_broadcast_packet_total_count" : {
+ "type" : "long"
+ },
+ "data_link_frame_size" : {
+ "type" : "long"
+ },
+ "ip_ttl" : {
+ "type" : "short"
+ },
+ "layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "mib_object_syntax" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "min_flow_start_microseconds" : {
+ "type" : "date"
+ },
+ "ignored_layer2_octet_total_count" : {
+ "type" : "long"
+ },
+ "private_enterprise_number" : {
+ "type" : "long"
+ },
+ "flow_start_microseconds" : {
+ "type" : "date"
+ },
+ "address_port_mapping_low_threshold" : {
+ "type" : "long"
+ },
+ "max_bieb_ntries" : {
+ "type" : "long"
+ },
+ "collector_ipv6_address" : {
+ "type" : "ip"
+ },
+ "distinct_count_of_destinatio_nipa_ddress" : {
+ "type" : "long"
+ },
+ "max_flow_end_milliseconds" : {
+ "type" : "date"
+ },
+ "absolute_error" : {
+ "type" : "double"
+ },
+ "observation_time_microseconds" : {
+ "type" : "date"
+ },
+ "minimum_layer2_total_length" : {
+ "type" : "long"
+ },
+ "ethernet_total_length" : {
+ "type" : "long"
+ },
+ "flow_end_microseconds" : {
+ "type" : "date"
+ },
+ "layer2_octet_delta_sum_of_squares" : {
+ "type" : "long"
+ },
+ "padding_octets" : {
+ "type" : "short"
+ },
+ "application_group_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "dot1q_dei" : {
+ "type" : "boolean"
+ },
+ "upper_cli_imit" : {
+ "type" : "double"
+ },
+ "mpls_top_label_exp" : {
+ "type" : "short"
+ },
+ "ipv4_options" : {
+ "type" : "long"
+ },
+ "virtual_station_interface_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "fragment_flags" : {
+ "type" : "short"
+ },
+ "destination_ipv6_address" : {
+ "type" : "ip"
+ },
+ "system_init_time_milliseconds" : {
+ "type" : "date"
+ },
+ "message_scope" : {
+ "type" : "short"
+ },
+ "connection_transaction_id" : {
+ "type" : "long"
+ },
+ "ip_payload_length" : {
+ "type" : "long"
+ },
+ "dot1q_service_instance_tag" : {
+ "type" : "short"
+ },
+ "flow_end_reason" : {
+ "type" : "short"
+ },
+ "flow_duration_milliseconds" : {
+ "type" : "long"
+ },
+ "original_exporter_ipv4_address" : {
+ "type" : "ip"
+ },
+ "selector_id_total_pkts_selected" : {
+ "type" : "long"
+ },
+ "virtual_station_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "flow_id" : {
+ "type" : "long"
+ },
+ "port_range_end" : {
+ "type" : "long"
+ },
+ "post_mpls_top_label_exp" : {
+ "type" : "short"
+ },
+ "post_nast_ource_ipv6_address" : {
+ "type" : "ip"
+ },
+ "flow_selected_flow_delta_count" : {
+ "type" : "long"
+ },
+ "ignored_data_record_total_count" : {
+ "type" : "long"
+ },
+ "tcp_syn_total_count" : {
+ "type" : "long"
+ },
+ "export_transport_protocol" : {
+ "type" : "short"
+ },
+ "ip_sec_spi" : {
+ "type" : "long"
+ },
+ "rfc3550_jitter_milliseconds" : {
+ "type" : "long"
+ },
+ "maximum_layer2_total_length" : {
+ "type" : "long"
+ },
+ "layer2packet_section_data" : {
+ "type" : "short"
+ },
+ "egress_broadcast_packet_total_count" : {
+ "type" : "long"
+ },
+ "transport_octet_delta_count" : {
+ "type" : "long"
+ },
+ "rfc3550_jitter_microseconds" : {
+ "type" : "long"
+ },
+ "layer2_frame_delta_count" : {
+ "type" : "long"
+ },
+ "line_card_id" : {
+ "type" : "long"
+ },
+ "ethernet_header_length" : {
+ "type" : "short"
+ },
+ "flow_key_indicator" : {
+ "type" : "long"
+ },
+ "interface_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_vpn_route_distinguisher" : {
+ "type" : "short"
+ },
+ "post_napdt_estination_transport_port" : {
+ "type" : "long"
+ },
+ "icmp_type_ipv4" : {
+ "type" : "short"
+ },
+ "flags_and_sampler_id" : {
+ "type" : "long"
+ },
+ "icmp_type_ipv6" : {
+ "type" : "short"
+ },
+ "message_md5_checksum" : {
+ "type" : "short"
+ },
+ "distinct_count_of_source_ipv4_address" : {
+ "type" : "long"
+ },
+ "packet_total_count" : {
+ "type" : "long"
+ },
+ "mib_context_engine_id" : {
+ "type" : "short"
+ },
+ "mib_sub_identifier" : {
+ "type" : "long"
+ },
+ "post_packet_total_count" : {
+ "type" : "long"
+ },
+ "sampling_packet_space" : {
+ "type" : "long"
+ },
+ "p2p_technology" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "egress_unicast_packet_total_count" : {
+ "type" : "long"
+ },
+ "min_export_seconds" : {
+ "type" : "date"
+ },
+ "exporter_transport_port" : {
+ "type" : "long"
+ },
+ "distinct_count_of_destination_ipv4_address" : {
+ "type" : "long"
+ },
+ "flow_label_ipv6" : {
+ "type" : "long"
+ },
+ "ignored_octet_total_count" : {
+ "type" : "long"
+ },
+ "observation_time_milliseconds" : {
+ "type" : "date"
+ },
+ "nat_quota_exceeded_event" : {
+ "type" : "long"
+ },
+ "max_flow_end_nanoseconds" : {
+ "type" : "date"
+ },
+ "engine_id" : {
+ "type" : "short"
+ },
+ "mib_object_description" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mpls_top_label_ttl" : {
+ "type" : "short"
+ },
+ "section_offset" : {
+ "type" : "long"
+ },
+ "flow_end_milliseconds" : {
+ "type" : "date"
+ },
+ "ip_precedence" : {
+ "type" : "short"
+ },
+ "collection_time_milliseconds" : {
+ "type" : "date"
+ }
+ }
+ },
+ "apache" : {
+ "properties" : {
+ "access" : {
+ "properties" : {
+ "ssl" : {
+ "properties" : {
+ "cipher" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "protocol" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "error" : {
+ "properties" : {
+ "module" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "ecs" : {
+ "properties" : {
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "elasticsearch" : {
+ "properties" : {
+ "cluster" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "uuid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "node" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "server" : {
+ "properties" : {
+ "stacktrace" : {
+ "ignore_above" : 1024,
+ "index" : false,
+ "type" : "keyword"
+ },
+ "gc" : {
+ "properties" : {
+ "overhead_seq" : {
+ "type" : "long"
+ },
+ "young" : {
+ "properties" : {
+ "one" : {
+ "type" : "long"
+ },
+ "two" : {
+ "type" : "long"
+ }
+ }
+ },
+ "observation_duration" : {
+ "properties" : {
+ "ms" : {
+ "type" : "float"
+ }
+ }
+ },
+ "collection_duration" : {
+ "properties" : {
+ "ms" : {
+ "type" : "float"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "component" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "audit" : {
+ "properties" : {
+ "request" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "indices" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "event_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "origin" : {
+ "properties" : {
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "action" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "realm" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "user" : {
+ "properties" : {
+ "roles" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "realm" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "layer" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "url" : {
+ "properties" : {
+ "params" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "slowlog" : {
+ "properties" : {
+ "routing" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "took" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "total_shards" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "source_query" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "types" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "total_hits" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "stats" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "extra_source" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "logger" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "search_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "index" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "shard" : {
+ "properties" : {
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "deprecation" : {
+ "properties" : { }
+ },
+ "gc" : {
+ "properties" : {
+ "phase" : {
+ "properties" : {
+ "cpu_time" : {
+ "properties" : {
+ "real_sec" : {
+ "type" : "float"
+ },
+ "sys_sec" : {
+ "type" : "float"
+ },
+ "user_sec" : {
+ "type" : "float"
+ }
+ }
+ },
+ "scrub_symbol_table_time_sec" : {
+ "type" : "float"
+ },
+ "scrub_string_table_time_sec" : {
+ "type" : "float"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "weak_refs_processing_time_sec" : {
+ "type" : "float"
+ },
+ "parallel_rescan_time_sec" : {
+ "type" : "float"
+ },
+ "class_unload_time_sec" : {
+ "type" : "float"
+ },
+ "duration_sec" : {
+ "type" : "float"
+ }
+ }
+ },
+ "jvm_runtime_sec" : {
+ "type" : "float"
+ },
+ "stopping_threads_time_sec" : {
+ "type" : "float"
+ },
+ "old_gen" : {
+ "properties" : {
+ "size_kb" : {
+ "type" : "long"
+ },
+ "used_kb" : {
+ "type" : "long"
+ }
+ }
+ },
+ "young_gen" : {
+ "properties" : {
+ "size_kb" : {
+ "type" : "long"
+ },
+ "used_kb" : {
+ "type" : "long"
+ }
+ }
+ },
+ "threads_total_stop_time_sec" : {
+ "type" : "float"
+ },
+ "heap" : {
+ "properties" : {
+ "size_kb" : {
+ "type" : "long"
+ },
+ "used_kb" : {
+ "type" : "long"
+ }
+ }
+ },
+ "tags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "host" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "hostname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "os" : {
+ "properties" : {
+ "build" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "kernel" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "family" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "platform" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "full" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "containerized" : {
+ "type" : "boolean"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "user" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "architecture" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "mysql" : {
+ "properties" : {
+ "thread_id" : {
+ "type" : "long"
+ },
+ "slowlog" : {
+ "properties" : {
+ "schema" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tmp_table_sizes" : {
+ "type" : "long"
+ },
+ "rows_examined" : {
+ "type" : "long"
+ },
+ "innodb" : {
+ "properties" : {
+ "trx_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "io_r_ops" : {
+ "type" : "long"
+ },
+ "io_r_wait" : {
+ "properties" : {
+ "sec" : {
+ "type" : "long"
+ }
+ }
+ },
+ "io_r_bytes" : {
+ "type" : "long"
+ },
+ "pages_distinct" : {
+ "type" : "long"
+ },
+ "queue_wait" : {
+ "properties" : {
+ "sec" : {
+ "type" : "long"
+ }
+ }
+ },
+ "rec_lock_wait" : {
+ "properties" : {
+ "sec" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "tmp_disk_tables" : {
+ "type" : "long"
+ },
+ "filesort_on_disk" : {
+ "type" : "boolean"
+ },
+ "tmp_tables" : {
+ "type" : "long"
+ },
+ "full_join" : {
+ "type" : "boolean"
+ },
+ "current_user" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "log_slow_rate_limit" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "log_slow_rate_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "priority_queue" : {
+ "type" : "boolean"
+ },
+ "full_scan" : {
+ "type" : "boolean"
+ },
+ "query" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "merge_passes" : {
+ "type" : "long"
+ },
+ "filesort" : {
+ "type" : "boolean"
+ },
+ "bytes_sent" : {
+ "type" : "long"
+ },
+ "killed" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tmp_table" : {
+ "type" : "boolean"
+ },
+ "lock_time" : {
+ "properties" : {
+ "sec" : {
+ "type" : "float"
+ }
+ }
+ },
+ "rows_affected" : {
+ "type" : "long"
+ },
+ "rows_sent" : {
+ "type" : "long"
+ },
+ "last_errno" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "query_cache_hit" : {
+ "type" : "boolean"
+ },
+ "tmp_table_on_disk" : {
+ "type" : "boolean"
+ }
+ }
+ },
+ "error" : {
+ "properties" : { }
+ }
+ }
+ },
+ "kibana" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "meta" : {
+ "type" : "object"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "nginx" : {
+ "properties" : {
+ "access" : {
+ "properties" : {
+ "geoip" : {
+ "properties" : { }
+ },
+ "user_agent" : {
+ "properties" : { }
+ }
+ }
+ },
+ "error" : {
+ "properties" : {
+ "connection_id" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "zeek" : {
+ "properties" : {
+ "dns" : {
+ "properties" : {
+ "AA" : {
+ "type" : "boolean"
+ },
+ "TTLs" : {
+ "type" : "double"
+ },
+ "qclass_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "qtype_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "qtype" : {
+ "type" : "long"
+ },
+ "rejected" : {
+ "type" : "boolean"
+ },
+ "query" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "answers" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "total_replies" : {
+ "type" : "long"
+ },
+ "rcode" : {
+ "type" : "long"
+ },
+ "trans_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "RA" : {
+ "type" : "boolean"
+ },
+ "TC" : {
+ "type" : "boolean"
+ },
+ "rcode_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "RD" : {
+ "type" : "boolean"
+ },
+ "saw_query" : {
+ "type" : "boolean"
+ },
+ "rtt" : {
+ "type" : "double"
+ },
+ "saw_reply" : {
+ "type" : "boolean"
+ },
+ "total_answers" : {
+ "type" : "long"
+ },
+ "qclass" : {
+ "type" : "long"
+ }
+ }
+ },
+ "files" : {
+ "properties" : {
+ "timedout" : {
+ "type" : "boolean"
+ },
+ "sha256" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tx_host" : {
+ "type" : "ip"
+ },
+ "source" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "extracted" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "duration" : {
+ "type" : "double"
+ },
+ "entropy" : {
+ "type" : "double"
+ },
+ "analyzers" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "total_bytes" : {
+ "type" : "long"
+ },
+ "fuid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "seen_bytes" : {
+ "type" : "long"
+ },
+ "missing_bytes" : {
+ "type" : "long"
+ },
+ "session_ids" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "parent_fuid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "local_orig" : {
+ "type" : "boolean"
+ },
+ "is_orig" : {
+ "type" : "boolean"
+ },
+ "extracted_cutoff" : {
+ "type" : "boolean"
+ },
+ "overflow_bytes" : {
+ "type" : "long"
+ },
+ "sha1" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "depth" : {
+ "type" : "long"
+ },
+ "filename" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mime_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rx_host" : {
+ "type" : "ip"
+ },
+ "extracted_size" : {
+ "type" : "long"
+ },
+ "md5" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "http" : {
+ "properties" : {
+ "orig_mime_depth" : {
+ "type" : "long"
+ },
+ "server_header_names" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "resp_mime_depth" : {
+ "type" : "long"
+ },
+ "proxied" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "orig_mime_types" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "info_msg" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "resp_mime_types" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client_header_names" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "password" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "trans_depth" : {
+ "type" : "long"
+ },
+ "orig_filenames" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "orig_fuids" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "range_request" : {
+ "type" : "boolean"
+ },
+ "captured_password" : {
+ "type" : "boolean"
+ },
+ "status_msg" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "resp_filenames" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "info_code" : {
+ "type" : "long"
+ },
+ "resp_fuids" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "session_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "connection" : {
+ "properties" : {
+ "local_resp" : {
+ "type" : "boolean"
+ },
+ "inner_vlan" : {
+ "type" : "long"
+ },
+ "resp_l2_addr" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "vlan" : {
+ "type" : "long"
+ },
+ "local_orig" : {
+ "type" : "boolean"
+ },
+ "history" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "missed_bytes" : {
+ "type" : "long"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "orig_l2_addr" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "fnotice" : {
+ "properties" : {
+ "file" : {
+ "properties" : {
+ "total_bytes" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "ssl" : {
+ "properties" : {
+ "cipher" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "established" : {
+ "type" : "boolean"
+ },
+ "server_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client_cert_chain_fuids" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "curve" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "subject" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "cert_chain_fuids" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "next_protocol" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "issuer" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client_subject" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client_issuer" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "cert_chain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client_cert_chain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "last_alert" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "validation_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "validation_status" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "resumed" : {
+ "type" : "boolean"
+ }
+ }
+ },
+ "notice" : {
+ "properties" : {
+ "msg" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "suppress_for" : {
+ "type" : "double"
+ },
+ "identifier" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "note" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "sub" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email_delay_tokens" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "dropped" : {
+ "type" : "boolean"
+ },
+ "email_body_sections" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "n" : {
+ "type" : "long"
+ },
+ "icmp_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "peer_descr" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "file" : {
+ "properties" : {
+ "mime_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "parent_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "source" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "is_orig" : {
+ "type" : "boolean"
+ },
+ "seen_bytes" : {
+ "type" : "long"
+ },
+ "missing_bytes" : {
+ "type" : "long"
+ },
+ "overflow_bytes" : {
+ "type" : "long"
+ }
+ }
+ },
+ "connection_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "fuid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "peer_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "actions" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "labels" : {
+ "type" : "object"
+ },
+ "tags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "input" : {
+ "properties" : {
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "system" : {
+ "properties" : {
+ "auth" : {
+ "properties" : {
+ "ssh" : {
+ "properties" : {
+ "geoip" : {
+ "properties" : { }
+ },
+ "dropped_ip" : {
+ "type" : "ip"
+ },
+ "method" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "signature" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "event" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "sudo" : {
+ "properties" : {
+ "tty" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "error" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "pwd" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "user" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "command" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "groupadd" : {
+ "properties" : { }
+ },
+ "useradd" : {
+ "properties" : {
+ "shell" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "home" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "syslog" : {
+ "properties" : { }
+ }
+ }
+ },
+ "kafka" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "component" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "trace" : {
+ "properties" : {
+ "message" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "class" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "class" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "http" : {
+ "properties" : {
+ "request" : {
+ "properties" : {
+ "referrer" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "method" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "body" : {
+ "properties" : {
+ "bytes" : {
+ "type" : "long"
+ },
+ "content" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "response" : {
+ "properties" : {
+ "status_code" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "body" : {
+ "properties" : {
+ "bytes" : {
+ "type" : "long"
+ },
+ "content" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "suricata" : {
+ "properties" : {
+ "eve" : {
+ "properties" : {
+ "icmp_type" : {
+ "type" : "long"
+ },
+ "flags" : {
+ "properties" : { }
+ },
+ "ssh" : {
+ "properties" : {
+ "server" : {
+ "properties" : {
+ "proto_version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "software_version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "client" : {
+ "properties" : {
+ "proto_version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "software_version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "app_proto_orig" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "src_ip" : {
+ "path" : "source.ip",
+ "type" : "alias"
+ },
+ "event_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "alert" : {
+ "properties" : {
+ "severity" : {
+ "path" : "event.severity",
+ "type" : "alias"
+ },
+ "rev" : {
+ "type" : "long"
+ },
+ "signature_id" : {
+ "type" : "long"
+ },
+ "gid" : {
+ "type" : "long"
+ },
+ "signature" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "action" : {
+ "path" : "event.outcome",
+ "type" : "alias"
+ },
+ "category" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "stats" : {
+ "properties" : {
+ "defrag" : {
+ "properties" : {
+ "max_frag_hits" : {
+ "type" : "long"
+ },
+ "ipv4" : {
+ "properties" : {
+ "reassembled" : {
+ "type" : "long"
+ },
+ "timeouts" : {
+ "type" : "long"
+ },
+ "fragments" : {
+ "type" : "long"
+ }
+ }
+ },
+ "ipv6" : {
+ "properties" : {
+ "reassembled" : {
+ "type" : "long"
+ },
+ "timeouts" : {
+ "type" : "long"
+ },
+ "fragments" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "tcp" : {
+ "properties" : {
+ "insert_data_overlap_fail" : {
+ "type" : "long"
+ },
+ "invalid_checksum" : {
+ "type" : "long"
+ },
+ "ssn_memcap_drop" : {
+ "type" : "long"
+ },
+ "sessions" : {
+ "type" : "long"
+ },
+ "overlap_diff_data" : {
+ "type" : "long"
+ },
+ "stream_depth_reached" : {
+ "type" : "long"
+ },
+ "syn" : {
+ "type" : "long"
+ },
+ "no_flow" : {
+ "type" : "long"
+ },
+ "segment_memcap_drop" : {
+ "type" : "long"
+ },
+ "memuse" : {
+ "type" : "long"
+ },
+ "pseudo_failed" : {
+ "type" : "long"
+ },
+ "reassembly_gap" : {
+ "type" : "long"
+ },
+ "rst" : {
+ "type" : "long"
+ },
+ "overlap" : {
+ "type" : "long"
+ },
+ "insert_list_fail" : {
+ "type" : "long"
+ },
+ "synack" : {
+ "type" : "long"
+ },
+ "pseudo" : {
+ "type" : "long"
+ },
+ "reassembly_memuse" : {
+ "type" : "long"
+ },
+ "insert_data_normal_fail" : {
+ "type" : "long"
+ }
+ }
+ },
+ "app_layer" : {
+ "properties" : {
+ "tx" : {
+ "properties" : {
+ "dcerpc_tcp" : {
+ "type" : "long"
+ },
+ "dcerpc_udp" : {
+ "type" : "long"
+ },
+ "ftp" : {
+ "type" : "long"
+ },
+ "smtp" : {
+ "type" : "long"
+ },
+ "http" : {
+ "type" : "long"
+ },
+ "smb" : {
+ "type" : "long"
+ },
+ "ssh" : {
+ "type" : "long"
+ },
+ "tls" : {
+ "type" : "long"
+ },
+ "dns_tcp" : {
+ "type" : "long"
+ },
+ "dns_udp" : {
+ "type" : "long"
+ }
+ }
+ },
+ "flow" : {
+ "properties" : {
+ "dcerpc_tcp" : {
+ "type" : "long"
+ },
+ "dcerpc_udp" : {
+ "type" : "long"
+ },
+ "imap" : {
+ "type" : "long"
+ },
+ "ftp" : {
+ "type" : "long"
+ },
+ "smtp" : {
+ "type" : "long"
+ },
+ "msn" : {
+ "type" : "long"
+ },
+ "smb" : {
+ "type" : "long"
+ },
+ "ssh" : {
+ "type" : "long"
+ },
+ "failed_tcp" : {
+ "type" : "long"
+ },
+ "failed_udp" : {
+ "type" : "long"
+ },
+ "dns_tcp" : {
+ "type" : "long"
+ },
+ "dns_udp" : {
+ "type" : "long"
+ },
+ "http" : {
+ "type" : "long"
+ },
+ "tls" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "dns" : {
+ "properties" : {
+ "memuse" : {
+ "type" : "long"
+ },
+ "memcap_state" : {
+ "type" : "long"
+ },
+ "memcap_global" : {
+ "type" : "long"
+ }
+ }
+ },
+ "capture" : {
+ "properties" : {
+ "kernel_drops" : {
+ "type" : "long"
+ },
+ "kernel_ifdrops" : {
+ "type" : "long"
+ },
+ "kernel_packets" : {
+ "type" : "long"
+ }
+ }
+ },
+ "detect" : {
+ "properties" : {
+ "alert" : {
+ "type" : "long"
+ }
+ }
+ },
+ "http" : {
+ "properties" : {
+ "memuse" : {
+ "type" : "long"
+ },
+ "memcap" : {
+ "type" : "long"
+ }
+ }
+ },
+ "decoder" : {
+ "properties" : {
+ "udp" : {
+ "type" : "long"
+ },
+ "dce" : {
+ "properties" : {
+ "pkt_too_small" : {
+ "type" : "long"
+ }
+ }
+ },
+ "ieee8021ah" : {
+ "type" : "long"
+ },
+ "pkts" : {
+ "type" : "long"
+ },
+ "ipv4" : {
+ "type" : "long"
+ },
+ "vlan" : {
+ "type" : "long"
+ },
+ "ipv6" : {
+ "type" : "long"
+ },
+ "pppoe" : {
+ "type" : "long"
+ },
+ "mpls" : {
+ "type" : "long"
+ },
+ "teredo" : {
+ "type" : "long"
+ },
+ "gre" : {
+ "type" : "long"
+ },
+ "max_pkt_size" : {
+ "type" : "long"
+ },
+ "vlan_qinq" : {
+ "type" : "long"
+ },
+ "ipraw" : {
+ "properties" : {
+ "invalid_ip_version" : {
+ "type" : "long"
+ }
+ }
+ },
+ "tcp" : {
+ "type" : "long"
+ },
+ "erspan" : {
+ "type" : "long"
+ },
+ "icmpv4" : {
+ "type" : "long"
+ },
+ "raw" : {
+ "type" : "long"
+ },
+ "ipv4_in_ipv6" : {
+ "type" : "long"
+ },
+ "icmpv6" : {
+ "type" : "long"
+ },
+ "ltnull" : {
+ "properties" : {
+ "unsupported_type" : {
+ "type" : "long"
+ },
+ "pkt_too_small" : {
+ "type" : "long"
+ }
+ }
+ },
+ "ethernet" : {
+ "type" : "long"
+ },
+ "ppp" : {
+ "type" : "long"
+ },
+ "sll" : {
+ "type" : "long"
+ },
+ "null" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "avg_pkt_size" : {
+ "type" : "long"
+ },
+ "invalid" : {
+ "type" : "long"
+ },
+ "sctp" : {
+ "type" : "long"
+ },
+ "ipv6_in_ipv6" : {
+ "type" : "long"
+ }
+ }
+ },
+ "flow_mgr" : {
+ "properties" : {
+ "bypassed_pruned" : {
+ "type" : "long"
+ },
+ "closed_pruned" : {
+ "type" : "long"
+ },
+ "rows_empty" : {
+ "type" : "long"
+ },
+ "flows_notimeout" : {
+ "type" : "long"
+ },
+ "flows_checked" : {
+ "type" : "long"
+ },
+ "flows_timeout_inuse" : {
+ "type" : "long"
+ },
+ "rows_maxlen" : {
+ "type" : "long"
+ },
+ "flows_removed" : {
+ "type" : "long"
+ },
+ "rows_checked" : {
+ "type" : "long"
+ },
+ "flows_timeout" : {
+ "type" : "long"
+ },
+ "est_pruned" : {
+ "type" : "long"
+ },
+ "rows_busy" : {
+ "type" : "long"
+ },
+ "new_pruned" : {
+ "type" : "long"
+ },
+ "rows_skipped" : {
+ "type" : "long"
+ }
+ }
+ },
+ "file_store" : {
+ "properties" : {
+ "open_files" : {
+ "type" : "long"
+ }
+ }
+ },
+ "flow" : {
+ "properties" : {
+ "emerg_mode_entered" : {
+ "type" : "long"
+ },
+ "memuse" : {
+ "type" : "long"
+ },
+ "tcp" : {
+ "type" : "long"
+ },
+ "udp" : {
+ "type" : "long"
+ },
+ "tcp_reuse" : {
+ "type" : "long"
+ },
+ "icmpv4" : {
+ "type" : "long"
+ },
+ "emerg_mode_over" : {
+ "type" : "long"
+ },
+ "icmpv6" : {
+ "type" : "long"
+ },
+ "memcap" : {
+ "type" : "long"
+ },
+ "spare" : {
+ "type" : "long"
+ }
+ }
+ },
+ "uptime" : {
+ "type" : "long"
+ }
+ }
+ },
+ "flow_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "fileinfo" : {
+ "properties" : {
+ "sha1" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "filename" : {
+ "path" : "file.path",
+ "type" : "alias"
+ },
+ "sha256" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "size" : {
+ "path" : "file.size",
+ "type" : "alias"
+ },
+ "stored" : {
+ "type" : "boolean"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tx_id" : {
+ "type" : "long"
+ },
+ "gaps" : {
+ "type" : "boolean"
+ },
+ "md5" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "icmp_code" : {
+ "type" : "long"
+ },
+ "dest_port" : {
+ "path" : "destination.port",
+ "type" : "alias"
+ },
+ "email" : {
+ "properties" : {
+ "status" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "flow" : {
+ "properties" : {
+ "reason" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "pkts_toserver" : {
+ "path" : "source.packets",
+ "type" : "alias"
+ },
+ "alerted" : {
+ "type" : "boolean"
+ },
+ "start" : {
+ "path" : "event.start",
+ "type" : "alias"
+ },
+ "bytes_toclient" : {
+ "path" : "destination.bytes",
+ "type" : "alias"
+ },
+ "end" : {
+ "type" : "date"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bytes_toserver" : {
+ "path" : "source.bytes",
+ "type" : "alias"
+ },
+ "age" : {
+ "type" : "long"
+ },
+ "pkts_toclient" : {
+ "path" : "destination.packets",
+ "type" : "alias"
+ }
+ }
+ },
+ "timestamp" : {
+ "path" : "@timestamp",
+ "type" : "alias"
+ },
+ "tcp" : {
+ "properties" : {
+ "rst" : {
+ "type" : "boolean"
+ },
+ "tcp_flags_tc" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tcp_flags_ts" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "psh" : {
+ "type" : "boolean"
+ },
+ "tcp_flags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ack" : {
+ "type" : "boolean"
+ },
+ "syn" : {
+ "type" : "boolean"
+ },
+ "fin" : {
+ "type" : "boolean"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "smtp" : {
+ "properties" : {
+ "helo" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rcpt_to" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mail_from" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "pcap_cnt" : {
+ "type" : "long"
+ },
+ "dns" : {
+ "properties" : {
+ "rdata" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rrname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rcode" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "type" : "long"
+ },
+ "tx_id" : {
+ "type" : "long"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ttl" : {
+ "type" : "long"
+ },
+ "rrtype" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "app_proto_tc" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tx_id" : {
+ "type" : "long"
+ },
+ "app_proto" : {
+ "path" : "network.protocol",
+ "type" : "alias"
+ },
+ "in_iface" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "src_port" : {
+ "path" : "source.port",
+ "type" : "alias"
+ },
+ "app_proto_expected" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "dest_ip" : {
+ "path" : "destination.ip",
+ "type" : "alias"
+ },
+ "proto" : {
+ "path" : "network.transport",
+ "type" : "alias"
+ },
+ "http" : {
+ "properties" : {
+ "redirect" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hostname" : {
+ "path" : "url.domain",
+ "type" : "alias"
+ },
+ "protocol" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "http_method" : {
+ "path" : "http.request.method",
+ "type" : "alias"
+ },
+ "http_content_type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "http_refer" : {
+ "path" : "http.request.referrer",
+ "type" : "alias"
+ },
+ "length" : {
+ "path" : "http.response.body.bytes",
+ "type" : "alias"
+ },
+ "url" : {
+ "path" : "url.original",
+ "type" : "alias"
+ },
+ "http_user_agent" : {
+ "path" : "user_agent.original",
+ "type" : "alias"
+ },
+ "status" : {
+ "path" : "http.response.status_code",
+ "type" : "alias"
+ }
+ }
+ },
+ "tls" : {
+ "properties" : {
+ "notbefore" : {
+ "type" : "date"
+ },
+ "serial" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "issuerdn" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "subject" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "notafter" : {
+ "type" : "date"
+ },
+ "fingerprint" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "session_resumed" : {
+ "type" : "boolean"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "sni" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "app_proto_ts" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "fields" : {
+ "type" : "object"
+ },
+ "hash" : {
+ "properties" : {
+ "sha256" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "iptables" : {
+ "properties" : {
+ "tcp" : {
+ "properties" : {
+ "reserved_bits" : {
+ "type" : "short"
+ },
+ "ack" : {
+ "type" : "long"
+ },
+ "flags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "window" : {
+ "type" : "long"
+ },
+ "seq" : {
+ "type" : "long"
+ }
+ }
+ },
+ "udp" : {
+ "properties" : {
+ "length" : {
+ "type" : "long"
+ }
+ }
+ },
+ "fragment_offset" : {
+ "type" : "long"
+ },
+ "flow_label" : {
+ "type" : "long"
+ },
+ "input_device" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "precedence_bits" : {
+ "type" : "short"
+ },
+ "fragment_flags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "length" : {
+ "type" : "long"
+ },
+ "icmp" : {
+ "properties" : {
+ "redirect" : {
+ "type" : "ip"
+ },
+ "code" : {
+ "type" : "long"
+ },
+ "parameter" : {
+ "type" : "long"
+ },
+ "id" : {
+ "type" : "long"
+ },
+ "type" : {
+ "type" : "long"
+ },
+ "seq" : {
+ "type" : "long"
+ }
+ }
+ },
+ "ttl" : {
+ "type" : "long"
+ },
+ "ether_type" : {
+ "type" : "long"
+ },
+ "ubiquiti" : {
+ "properties" : {
+ "output_zone" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "input_zone" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rule_set" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rule_number" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "output_device" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tos" : {
+ "type" : "long"
+ },
+ "id" : {
+ "type" : "long"
+ },
+ "incomplete_bytes" : {
+ "type" : "long"
+ }
+ }
+ },
+ "server" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "domain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "user" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "packets" : {
+ "type" : "long"
+ }
+ }
+ },
+ "apache2" : {
+ "properties" : {
+ "access" : {
+ "properties" : {
+ "geoip" : {
+ "properties" : { }
+ },
+ "user_agent" : {
+ "properties" : { }
+ }
+ }
+ },
+ "error" : {
+ "properties" : { }
+ }
+ }
+ },
+ "log" : {
+ "properties" : {
+ "file" : {
+ "properties" : {
+ "path" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "original" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "offset" : {
+ "type" : "long"
+ },
+ "level" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "flags" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "source" : {
+ "properties" : {
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "traefik" : {
+ "properties" : {
+ "access" : {
+ "properties" : {
+ "user_identifier" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "geoip" : {
+ "properties" : {
+ "continent_name" : {
+ "path" : "source.geo.continent_name",
+ "type" : "alias"
+ },
+ "region_iso_code" : {
+ "path" : "source.geo.region_iso_code",
+ "type" : "alias"
+ },
+ "city_name" : {
+ "path" : "source.geo.city_name",
+ "type" : "alias"
+ },
+ "country_iso_code" : {
+ "path" : "source.geo.country_iso_code",
+ "type" : "alias"
+ },
+ "location" : {
+ "path" : "source.geo.location",
+ "type" : "alias"
+ },
+ "region_name" : {
+ "path" : "source.geo.region_name",
+ "type" : "alias"
+ }
+ }
+ },
+ "backend_url" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "frontend_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "user_agent" : {
+ "properties" : {
+ "original" : {
+ "path" : "user_agent.original",
+ "type" : "alias"
+ },
+ "os" : {
+ "path" : "user_agent.os.full_name",
+ "type" : "alias"
+ },
+ "name" : {
+ "path" : "user_agent.name",
+ "type" : "alias"
+ },
+ "os_name" : {
+ "path" : "user_agent.os.name",
+ "type" : "alias"
+ },
+ "device" : {
+ "path" : "user_agent.device.name",
+ "type" : "alias"
+ }
+ }
+ },
+ "request_count" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "certificate" : {
+ "properties" : {
+ "sha256" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "common_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "destination" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "domain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "user" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "packets" : {
+ "type" : "long"
+ }
+ }
+ },
+ "syslog" : {
+ "properties" : {
+ "priority" : {
+ "type" : "long"
+ },
+ "facility" : {
+ "type" : "long"
+ },
+ "severity_label" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "facility_label" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "auditd" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "new_auid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "item" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "laddr" : {
+ "type" : "ip"
+ },
+ "new_ses" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "geoip" : {
+ "properties" : { }
+ },
+ "old_ses" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "rport" : {
+ "type" : "long"
+ },
+ "lport" : {
+ "type" : "long"
+ },
+ "a0" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "sequence" : {
+ "type" : "long"
+ },
+ "old_auid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "tty" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "addr" : {
+ "type" : "ip"
+ },
+ "items" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "error" : {
+ "properties" : {
+ "code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "message" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "docker" : {
+ "properties" : {
+ "container" : {
+ "properties" : {
+ "labels" : {
+ "type" : "object"
+ }
+ }
+ }
+ }
+ },
+ "network" : {
+ "properties" : {
+ "community_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "forwarded_ip" : {
+ "type" : "ip"
+ },
+ "protocol" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "application" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "transport" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "iana_number" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "packets" : {
+ "type" : "long"
+ },
+ "direction" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "santa" : {
+ "properties" : {
+ "mode" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "reason" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "disk" : {
+ "properties" : {
+ "volume" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bus" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "serial" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bsdname" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "model" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "fs" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mount" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "decision" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "action" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "iis" : {
+ "properties" : {
+ "access" : {
+ "properties" : {
+ "site_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "server_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "geoip" : {
+ "properties" : { }
+ },
+ "cookie" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "sub_status" : {
+ "type" : "long"
+ },
+ "win32_status" : {
+ "type" : "long"
+ },
+ "user_agent" : {
+ "properties" : { }
+ }
+ }
+ },
+ "error" : {
+ "properties" : {
+ "queue_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "geoip" : {
+ "properties" : { }
+ },
+ "reason_phrase" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "file" : {
+ "properties" : {
+ "owner" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "extension" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "gid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mtime" : {
+ "type" : "date"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "target_path" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "inode" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mode" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "path" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "uid" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "size" : {
+ "type" : "long"
+ },
+ "ctime" : {
+ "type" : "date"
+ },
+ "device" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "postgresql" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "database" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "core_id" : {
+ "type" : "long"
+ },
+ "query" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "timestamp" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "related" : {
+ "properties" : {
+ "ip" : {
+ "type" : "ip"
+ }
+ }
+ },
+ "stream" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client" : {
+ "properties" : {
+ "geo" : {
+ "properties" : {
+ "continent_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "region_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "city_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_iso_code" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "country_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "location" : {
+ "type" : "geo_point"
+ },
+ "region_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "address" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port" : {
+ "type" : "long"
+ },
+ "bytes" : {
+ "type" : "long"
+ },
+ "domain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ip" : {
+ "type" : "ip"
+ },
+ "user" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "mac" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "packets" : {
+ "type" : "long"
+ }
+ }
+ },
+ "event" : {
+ "properties" : {
+ "severity" : {
+ "type" : "long"
+ },
+ "original" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "risk_score" : {
+ "type" : "float"
+ },
+ "created" : {
+ "type" : "date"
+ },
+ "kind" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "timezone" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "module" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "start" : {
+ "type" : "date"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "duration" : {
+ "type" : "long"
+ },
+ "risk_score_norm" : {
+ "type" : "float"
+ },
+ "action" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "end" : {
+ "type" : "date"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "category" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "dataset" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "outcome" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "mongodb" : {
+ "properties" : {
+ "log" : {
+ "properties" : {
+ "component" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "context" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "user_agent" : {
+ "properties" : {
+ "original" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "os" : {
+ "properties" : {
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "kernel" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "family" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "platform" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "full" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "device" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "process" : {
+ "properties" : {
+ "args" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "start" : {
+ "type" : "date"
+ },
+ "pid" : {
+ "type" : "long"
+ },
+ "working_directory" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "program" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "thread" : {
+ "properties" : {
+ "id" : {
+ "type" : "long"
+ }
+ }
+ },
+ "title" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "executable" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ppid" : {
+ "type" : "long"
+ }
+ }
+ },
+ "os" : {
+ "properties" : {
+ "kernel" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "family" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "platform" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "full" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "osquery" : {
+ "properties" : {
+ "result" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "unix_time" : {
+ "type" : "long"
+ },
+ "action" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "calendar_time" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "host_identifier" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "fileset" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "message" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "url" : {
+ "properties" : {
+ "path" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "fragment" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "password" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "original" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "scheme" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "port" : {
+ "type" : "long"
+ },
+ "domain" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "query" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "full" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "username" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "@timestamp" : {
+ "type" : "date"
+ },
+ "service" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "ephemeral_id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "type" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "version" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "organization" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ },
+ "haproxy" : {
+ "properties" : {
+ "error_message" : {
+ "norms" : false,
+ "type" : "text"
+ },
+ "tcp" : {
+ "properties" : {
+ "connection_waiting_time_ms" : {
+ "type" : "long"
+ }
+ }
+ },
+ "server_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "bind_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "geoip" : {
+ "properties" : { }
+ },
+ "total_waiting_time_ms" : {
+ "type" : "long"
+ },
+ "termination_state" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "time_queue" : {
+ "type" : "long"
+ },
+ "connection_wait_time_ms" : {
+ "type" : "long"
+ },
+ "destination" : {
+ "properties" : { }
+ },
+ "bytes_read" : {
+ "type" : "long"
+ },
+ "source" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "mode" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "backend_queue" : {
+ "type" : "long"
+ },
+ "backend_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "client" : {
+ "properties" : { }
+ },
+ "frontend_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "http" : {
+ "properties" : {
+ "request" : {
+ "properties" : {
+ "captured_cookie" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "raw_request_line" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "captured_headers" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "time_wait_ms" : {
+ "type" : "long"
+ },
+ "time_wait_without_data_ms" : {
+ "type" : "long"
+ }
+ }
+ },
+ "response" : {
+ "properties" : {
+ "captured_cookie" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "captured_headers" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "server_queue" : {
+ "type" : "long"
+ },
+ "time_backend_connect" : {
+ "type" : "long"
+ },
+ "connections" : {
+ "properties" : {
+ "retries" : {
+ "type" : "long"
+ },
+ "server" : {
+ "type" : "long"
+ },
+ "active" : {
+ "type" : "long"
+ },
+ "backend" : {
+ "type" : "long"
+ },
+ "frontend" : {
+ "type" : "long"
+ }
+ }
+ }
+ }
+ },
+ "user" : {
+ "properties" : {
+ "owner" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "effective" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "full_name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "saved" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "audit" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "terminal" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "email" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "filesystem" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ },
+ "hash" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "group" : {
+ "properties" : {
+ "name" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ },
+ "id" : {
+ "ignore_above" : 1024,
+ "type" : "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "aliases" : { }
+ }
+}
--
GitLab